It’s well-known that the road is long and challenging for Department of Defense (DoD) contractors pursuing a Cybersecurity Maturity Model Certification (CMMC), and especially so for small businesses. Costs are intense, resources are few, and the policies required are many. And aside from these things, cybersecurity can be confusing, especially for those without a dedicated IT or security staff. As a result of these factors, some small business defense contractors have had no choice but to consider leaving the Defense Industrial Base (DIB) altogether. In this post, we sift through the high-level complexities of CMMC compliance and identify specific challenges found among small businesses within the DIB. We also share our experiences as a small business DoD contractor on how our peers can overcome these hurdles to remain part of the nation’s most important supply chain.
This post was inspired by a presentation Nathan Cross delivered at the Three Rivers Information Security Symposium in Pittsburgh, PA in late 2022. If you are interested in having Totem present at a conference near you or via an online webinar, let us know!
Brief overview of CMMC
As alluded to in the introduction, if you have a contract to provide a good or service to the DoD, you are a member of the Defense Industrial Base. DIB members handle different types of DoD information varying in levels of sensitivity, two of which include Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The FAR 52.204-21 and DFARS 252.204-7012 clauses, which you may find in your contract, dictate the protection of these information types, respectively. For FAR 52.204-21, you are to implement 17 “basic” cybersecurity safeguards; for DFARS 252.204-7012, the 110 safeguards outlined in NIST SP 800-171.
CMMC, then, is the initiative launched by the DoD that assesses the implementation of these safeguards, where those DIB members who pass an assessment (or submit a successful self-assessment if pursuing Level 1) receive a CMMC certification. The table below demonstrates the relationship between clauses, the safeguards to be implemented, and the corresponding CMMC level.
CMMC is an organization-wide endeavor that requires extensive planning and preparation. We cover the entire CMMC compliance process in our quarterly Workshop. Come join us!
Small business CMMC challenges
In addition to being a small business DoD contractor ourselves, we have helped hundreds of other small businesses on their CMMC journeys. Along the way, we have seen (and experienced) a multitude of particularly troublesome challenges for small businesses. While we won’t address every single one here, the most pressing challenges relating to CMMC compliance boil down to a few key issues, each of which we will dissect:
- Errant CUI identification or scoping
- Lack of expertise
- Cost
A quick caveat that the purpose of this post is not merely to summarize the overarching challenges of CMMC, since those challenges are also being faced by medium and large contractors. Rather, the purpose is to zero in on unique challenges that make achieving CMMC compliance more difficult for a small business as opposed to larger defense contractors. This is how we arrived at the list above.
Errant CUI identification or scoping
It’s clear that CMMC is meant to protect CUI (and FCI), but this makes a pretty large assumption: that you know what in your environment is CUI. Ever wondered whose responsibility it is to determine what CUI you will handle as part of fulfilling your DoD contract? Let’s refer to some specific language in DODI 5200.48, the instruction in which the DoD established its CUI program:
CUI will be identified in SCGs [Security Classification Guides] to ensure such information receives appropriate protection.
DODI 5200.48 3.7[e]
The program office or requiring activity must identify DoD CUI at the time of contract award...
DODI 5200.48 5.1[e]
The authorized holder of a document or material is responsible for determining, at the time of creation, whether information in a document or material falls into a CUI category. If so, the authorized holder is responsible for applying CUI markings and dissemination instructions accordingly.
DODI 5200.48 3.6[a]
In summary, it is the DoD’s responsibility to tell its prime contractors what (if any) CUI they will handle. And, equipped with this knowledge, it is the responsibility of the prime contractors to tell its subcontractors what (if any) CUI they handle. This process should “flowdown” whenever another subcontractor is added. Unfortunately, the DoD is not adequately doing their part, and many large prime contractors are flowing down the DFARS 252.204-7012 requirements to its subcontractors without describing what CUI (if any) is present. This results in heaps of confusion and speculation down the supply chain and ultimately overburdens the small business contractors scattered throughout.
A drastic consequence of not knowing exactly what CUI you handle is that it results in flawed scoping; i.e., incorrectly identifying what needs to be secured to handle CUI. In this case, scoping involves pinpointing the Federal Government information being handled (FCI or CUI), characterizing the lifecycle of that information in the contractor’s environment, then listing out the assets (hardware, software, people, facilities) that “touch” that information. This scoping exercise determines the assets that need to be secured. For example, if an accounting associate never processes, transmits, or stores CUI on their workstation, that device is not subject to the CUI-specific requirements in NIST 800-171. Without accurate scoping, one may assume the accounting associate handles CUI, and more money would need to be spent to secure their workstation. In short: scoping can only be done correctly when you know what CUI you handle, and scoping incorrectly will result in unnecessary costs.
Consider a (common) scenario where a small business manufacturer is never told by their prime contractor what CUI they are handling, only that they must adhere to DFARS 252.204-7012, implement NIST 800-171, and plan to pursue CMMC Level 2. In many cases, the small business has never heard of CUI, or any of the aforementioned regulations or frameworks, and are left to make their best guess as to implementing the requirements. (Note: if you are in this situation, DO NOT operate under the assumption that “everything should be treated as CUI” in order to cover your bases. This is flawed scoping and is a costly and unnecessary approach. Feel free to contact us, and we can help you strategize.)
In this case, it is the responsibility of the small business manufacturer to understand what CUI is and that it must be protected if they do handle it, as this is simply part of doing business with the DoD. Additionally, they should understand the regulations and frameworks that come with handling CUI. However, ultimately it is not their responsibility to confirm exactly what CUI they are handling; this must come from the next level above in the supply chain, whether that is the DoD, a prime contractor, or another subcontractor. But, ultimately, it starts with the DoD telling its prime contractors what CUI they are handling, and then this communication, along with the requirements, flowing down where necessary.
If you are a small business DoD contractor with DFARS 252.204-7012 in your contract, and are being told that you handle CUI when you don’t believe you do or ever will, we recommend that you get in contact with your state’s Apex Accelerator (formerly PTAC) program. They may be able to assist with contacting the proper officials to advocate on your behalf that the clause be removed. We also walk through the CUI identification process in our quarterly CMMC Workshops, if you want to be certain that you aren’t (or are) handling CUI.
Lack of expertise
NIST 800-171 is a robust framework that covers a wide array of technical concepts, including endpoint protection, encryption, access control, system hardening, and much more. Therefore, it requires technical expertise to both interpret and implement. Most small businesses do not have this expertise in-house, so they look externally to IT Managed Service Providers (MSPs) for help. One common challenge they face, however, is that most MSPs typically only perform the day-to-day IT responsibilities, and are unable to assist with the auditing and accountability (Security Operations Center — SOC) aspect of NIST 800-171. As a result, they must also outsource to a Managed Security Service Provider (MSSP), further driving costs up. We’ll cover costs in the next subsection, but as you can imagine, the bill grows quickly when you can’t handle these tasks internally.
Additionally, from our experience, only approximately 50% of NIST 800-171 controls can be outsourced to an MSP or MSSP. The other 50% simply cannot be outsourced and must be performed by the small business. Take, for example, establishing a cybersecurity “culture” within your organization. Your users are your most valuable asset in combating cyber threats, and if they are not bought into this culture, the likelihood that they protect your company from dangerous attacks (e.g., phishing) is minimal. You can’t outsource this culture to an MSP or MSSP; it must come from within and be embraced from the top-down. However, small businesses do hold an advantage over larger companies in that establishing a cybersecurity culture is typically easier to do with fewer employees. Much easier to gain buy-in and conduct consistent, impactful training exercises!
Cost
The single-most frustrating challenge for small businesses on their CMMC journey is the cost. We aren’t going to sugarcoat it: CMMC is expensive. It’s part of doing business with the DoD. Additionally, because of the first two challenges outlined, the relative costs for CMMC implementation actually increase for small businesses. CMMC does not “scale down” well.
If you handle CUI and are pursuing Level 2, you should expect CMMC to be at least a five-figure monetary commitment on an annual basis. We talk more about cost expectations in our CMMC Workshop, but this estimate is derived from the following costs:
- Implementing NIST 800-171 (which may include potential network re-architecture)
- Engaging an IT MSP and/or MSSP on an ongoing basis
- Hiring a third-party assessor every three years (if pursuing Level 2)
- Continuous monitoring
While we know that the costs for CMMC are high, there are circumstances where it can become devastating for small businesses. For example, consider a situation where a small business contractor is faced with DFARS 252.204-7012, but the costs to implement NIST 800-171 and receive a CMMC certification are greater than the revenue earned from performing their service for the DoD. As a result, the small business would be forced to leave the DIB, because working with the DoD would not produce a positive return on investment. The question then becomes: does the DoD really want to force its smallest contractors out due to cybersecurity compliance costs? Wouldn’t be fair, and it raises a lot of questions about the integrity and purpose of the CMMC program. Time will tell, but with the upcoming NIST 800-171 Revision 3 (currently in DRAFT form), the burden on small businesses is anticipated to be a little lighter. We’ll see how the costs shake out.
The way forward
While it is necessary to discuss how small businesses are struggling with CMMC compliance, it is equally necessary to consider how we overcome these challenges and move forward. To us, it will require a collective effort for all parties involved. Here we describe what each party should look to do.
From our perspective, the challenge of errant CUI identification/scoping can be fixed with proper lines of communication from the top-down. The DoD must set a better precedent for communicating with its prime contractors exactly what CUI they are handling as part of their contract. They cannot just flow down the DFARS 252.204-7012 requirements without also describing the CUI being handled. Subsequently, the prime contractors must also tell their subcontractors what CUI they are handling if they are going to flow down the DFARS 252.204-7012 requirements. Furthermore, all parties involved must understand what CUI is, why it must be protected, and the existing frameworks that dictate how to do so.
External Service Providers must also remain dependable and committed to their small business clients’ CMMC journeys. In some cases, MSPs may not fully understand the scope of NIST 800-171, and upon doing so, become unwilling to take the journey with their client. Let us know if you are looking for a committed MSP or MSSP to support you in your CMMC efforts. If you are an MSP/MSSP that wants to become an active supporter of small business DoD contractors, please reach out to us, and we can describe how we can support you.
There is also good news on the cost front. More and more States are recognizing the unequitable financial burden CMMC places on their small business consituents. States are responding by developing grant programs to offset the cost of CMMC compliance. For example, some State universities and technical centers are working with their Manufacturing Extension Partnership (MEP), funded by the US Department of Commerce, on cybersecurity grant programs for small business manufacturers. We are aware that the State of Illinois, for instance, has just such a program and a few of our clients are taking advantage of it. If you’re interesed in this, contact your State’s MEP representative, and/or contact us and we can help you do some research on how to fend off some of the cost-based CMMC challenges.
Finally, and perhaps the most important item to remember as final rule-making for CMMC approaches, is that CMMC is about reducing cybersecurity risk in the DIB. It’s to protect FCI and CUI from spilling into the wrong hands. When the focus drifts away from this and moves instead to bureaucracy and endless checkboxes and paperwork, our adversaries have already won.
Totem's mission is to help small businesses remain part of the DIB
This statement encapsulates why Totem Technologies was born: to help small businesses lower their cybersecurity risk and remain part of the Defense Industrial Base. We want to see small businesses continue to lead the way in fulfilling the DoD’s mission and remaining the backbone of the U.S. economy. In this post, we have identified common challenges to better help small businesses know what hurdles to expect when pursuing CMMC compliance.
If you are looking for more guidance, we invite you to grab a seat in our next CMMC Workshop, where we will help walk you through the DFARS/NIST/CMMC requirements. Or, if you would prefer more hands-on support, consider bringing us on for a gap assessment, where we can do the heavy lifting in preparing your organization for a CMMC assessment. As always, drop us a line if you have any questions about this blog, CMMC, or anything else!
Thanks for reading, and keep fighting the good fight!
–Nathan Cross, Cybersecurity Engineer